Are you sluggish on Mondays and Fridays? So are spammers.
That’s one of the findings IBM researchers came up with after going through six months of data captured in its honeypots to learn when spammers and their spam bots do the most work. The results were outlined in a blog published today.
The biggest day for spam was Tuesday, followed by Wednesday and Thursday, with significant drops on weekends. Either attackers want their weekends, or they assume many people don’t look at their email — particularly office email — on weekends.
However, infosec pros shouldn’t get complacent: According to a graph in the blog, while spam volumes are down Mondays and Fridays, it looks like it’s only a slight drop relative to other days.
(Total spam distribution per daily volumes. IBM graphic)
Spam volumes begin to increase around 1 a.m. on the U.S. East Coast, researchers found, because spammers start off with Europe before they follow the sun and start spamming recipients in the U.S. The big drop in spam comes at around 8 p.m. 4 p.m. EST, but some spamming lingers thereafter, likely only in the U.S. at that point.
Attackers are very conscious of when they send campaigns. For example, because some Trojans such as Dridex, TrickBot and QakBot are cybergang-owned malware designed to rob business bank accounts, these gangs make sure to spam employees in very pointed bouts of malicious mail, during business hours.
During the period studied the top country where spam originated from was India.
And while many spam campaigns are delivered by automated botnets IBM researchers believea lot of work that still goes into each one. “Botnet operators are constantly looking for new ways to circumvent spam filters and make it through to recipients’ inboxes without being blocked or their malicious attachments being disabled,” the blog says.
For example, IBM [NYSE: IBM] researchers found the Necurs botnet alone has shuffled its delivery tactics very frequently in the past few months, moving from filing Microsoft Office documents with malicious exploits, to poisoned PDF files embedded with a laced Office file, to sending malware in .WSF files. Most recently, the operators have been delivering fake DocuSign attachments to keep evading security.